As it stands today, 11 states in the United States have passed comprehensive data privacy laws with many of these just going through in the first half of this year. Comprehensive data privacy goes hand-in-hand with cybersecurity and the two can and should bolster each other.
In the continued absence of a national-level data privacy bill, many states have begun to push in this direction to ensure their citizens’ rights are protected and provide private businesses clarity– particularly in a world in which global businesses based in the United States must contend with the patchwork of legislation in the US and the heavy-handed GDPR in Europe, along with many other countries’ data privacy laws. Taking the guessing game out of privacy is being seen as an increasingly important business accelerator by the states.
Out of the 11 states with comprehensive data privacy laws, four are currently in effect: California (1/1/20), Virginia (1/1/23), Colorado (7/`/23), and Connecticut (7/1/23). Utah’s data privacy legislation will go into effect on December 31 of this year. In addition, four other states have recently passed data privacy laws: Indiana, Tennessee, Montana, Iowa, Oregon, and Texas. States including Florida, New York, Kentucky, Mississippi, Oklahoma, and New Jersey all have bills somewhere in the legislative process, but it is unlikely all or even most of these will pass by the end of this year.
The California Consumer Privacy Act (CCPA) was passed in 2018, went into effect in 2020, and was recently amended this year to put greater obligations on companies to protect consumer data. This law was the first to be passed in the United States and is largely based on the European General Data Privacy Regulation (GDPR).
The rights included in this act are:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them
Virginia’s data privacy law went into effect at the top of this year and impacts businesses, called controllers, that conduct business within the state including those not headquartered in the state. Companies that “control or process personal data of at least 100,000 Virginia residents in a calendar year or (2) control or process the personal data of at least 25,000 Virginia residents and derive more than half their gross revenue from the sale of personal data” are subject to the law.
There are five large exemption groups, “(1) financial institutions subject to Gramm-Leach-Bliley Act, (2) entities regulated by HIPAA, (3) non-profits, (4) Virginia state agencies, and (5) colleges and universities.”
For all other controllers, the law requires companies to::
- Provide end users with a privacy notice that includes what kind of data is processed and why, what data is shared with third parties and who the third parties are, and how and by what means users can exercise their rights
- Disclose if personal data is processed, by the controller or a third party for targeted advertisement, and how end-users can opt out
- Establish security practices for data collection and processing
- Respond to consumer requests within 45 days of receiving the request (with the possibility of extension under specific circumstances)
- Provide a way for consumers to appeal a valid refusal of their initial request (e.g. if user identity verification was not adequate)
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose of the collection
- Only process personal data for purposes other than those disclosed if the consumer gives their prior consent (also if the processing purposes change after they have begun)
- Not discriminate against consumers based on consumers exercising their rights.
The Colorado data privacy laws were officially in effect, with forced compliance, July 1st of 2023. Similar to Virginia, Colorado incorporates the title of controllers for those who conduct business with a specific number of Coloradans or who conduct business within Colorado.
As with the Virginia law, controllers with “100,000 ‘consumers’ during a calendar year; or 25,000 ‘consumers,’ and derive revenue or receive a discount on the price of goods or services from the “sale” of personal data” are subject to this law.
Consumer rights protected for Colorado citizens under this new law are :
- To confirm whether or not a controller is processing their personal data, and the ability to access such data;
- To correct inaccuracies in their personal data;
- To delete their personal data;
- To obtain a copy of personal data that they have provided to the controller in a portable and, to the extent technically feasible, readily usable format; and to opt-out of certain types of processing, including the sale of personal data, the use of personal data for purposes of “targeted advertising,” and “profiling” that produces legal or similarly significant effects for the consumer.
- Allows consumers to authorize another person, acting on their behalf, to perform the opt-out. This includes the use of technology that indicates a consumer’s intent to opt out, including web links, browser extensions, and global device settings.
The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) went into effect on July 1 of this year and follows the similar trend set by Virginia and Connecticut in applying to companies with “100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 25,000 consumers and derived over 25% of gross revenue from the ‘sale; (defined as ‘the exchange of personal data for monetary or other valuable consideration’) of personal data.”
Connecticut is the only other state aside from California whose laws explicitly refer to opt-out preference signals. Similar to Virginia and Colorado, any data collected from a known minor is regarded as sensitive data, all sensitive data in Connecticut can only be gathered after an ‘Opt-in’ is acquired.
Along with that, other rights protected by the CTDPA to consumers are:
- Connecticut consumers have the right to access, correct, delete, and port their data
- Businesses must provide consumers an opt-out for targeted advertising, the sale of their data, and automated decision-making profiling”
Signed into law on March 24, 2023, the Utah Consumer Privacy Act “protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies doing business in the state.” The Utah law pertains to only the sale of personal data and targeted advertising; it does not include non-monetary options as a sale unlike California. The rights in this act include:
- Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
- Right to deletion of personal data, if the data subject directly provided the data to the controller
- Right to portability, obtaining a copy of their personal data that they provided to the controller, in a format that is:
- portable to a technically reasonable extent
- readily usable to a practical extent
- enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
- Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising”
On May 1, 2023, Governor Eric Holcomb signed the Senate Enrolled Act 5 that will go into effect on January 1, 2026.
To be subject to this law, your company must do business within Indiana and control or process personal data of at least 100,000 Indiana residents. Otherwise it is only effective if your company controls or processes personal data of at least 25,000 Indiana residents and derives over 50% of its gross revenue from the sale of personal data.
According to White and Case, “ICDPA provides similar rights of access, deletion and correction as many of the other state laws, it uniquely allows data controllers to respond to a data portability request by providing either: (1) a copy of the personal data provided by the consumer; or (2) a “representative summary” of such data. The law’s 30-day notice-and-cure period, similar to the laws in Virginia, Utah and Iowa, does not have a sunset date.”
The Tennessee Information Protection Act or ‘TIPA’ was signed into law on May 11th, 2023 by Governor Bill Lee and will go into effect on January 1, 2025.
This law is the most narrow of the proposed and enacted laws making the qualifying threshold $25 million in revenue and control of at least 175,000 consumers or 25,000 consumers with a derived gross revenue being 50% or higher from the sale of personal information. This is at least 75,000 consumers more than the other laws.
One unique feature of TIPA when comparing to other data privacy laws is the “introduction of an affirmative defense against enforcement for organizations that implement and adhere to written privacy programs that comply with the National Institute of Standards and Technology (NIST) privacy framework or comparable privacy standards, and any future revisions to such frameworks.” This also pertains to whether or not an organization is in compliance with Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules or Privacy Recognition for Processors systems.
On May 19th, 2023, the Montana Consumer Data Privacy Act or MCDPA was signed into law by Governor Greg Giaforte. This law is most similar to Connecticut’s law which tends to lean more in favor of the consumer.
It includes opt out laws and gives consumers the right to access personal data controlled by the controllers, delete personal data, and confirm whether or not a controller should process the consumers personal information. Montana will have the lowest threshold for applicability at entities that control or process the personal data of at least: 50,000 consumers (approximately 4.5% of the state’s population); or 25,000 consumers, and derive more than 25% of their gross revenue from personal data sales.
The overall consumer count is half the average for this type of law and the derived revenue is also much lower than others.
The Iowa Data Protection Act was signed into law on March 29, 2023, and will go into effect on January 1, 2025. This law applies to companies which control or process the data of at least 100,000 Iowans or derive at least 50% of their revenue from selling the personal data of at least 25,000 Iowans.
The key provisions of this law are:
- Consumer Opt-Out of Sale of Data
- No Right to Opt-Out of Profiling (unlike the Virginia and California laws)
- Required service provider contracts
- Sensitive data processing requirements
- 90-day cure period for alleged violations (the longest in the U.S.)
The Oregon Consumer Privacy Act was signed into law on June 22, 2023, and will go into effect on July 1, 2024.
This law applies to any person, not only businesses, which:
- Provides products or services to residents of Oregon AND
- Controls or processes the personal data of 100,000 or more consumers other than personal data controlled or processed solely to complete a transaction
- OR Controls or processes the personal data of 25,000 or more consumers while deriving 25% or more of their annual gross revenue from selling personal data
Controllers that are subject to this law are required to:
- Provide privacy notices with certain content
- Limit the processing of personal data to only that which is reasonably adequate, relevant, and necessary for the purposes of the processing
- Establish a secure and reliable way for consumers to exercise their privacy rights under the law
- Obtain a consumer’s consent to process sensitive data
- Enter into contracts with its processors
- Conduct and document data protection assessments before engaging in processing activities that represent a heightened risk of harm
Consumers under this law have the right to:
- Confirm whether or not a controller is processing their personal data
- Obtain a copy of their personal data in a readily usable format
- Correct inaccuracies in the consumer’s personal data
- Delete personal data about the consumer
- Opt out of the processing of the consumer’s personal data for
- Targeted advertising
- Sale of consumer data
- Profiling in furtherance of automated decision making that leads to legal or similarly significant effects concerning the consumer
The TDPSA, or Texas Data Privacy and Security Act, was signed into law on June 9, 2023, and will become effective July 1, 2024. The Texas law is particularly broad as the applicability threshold is not based on a monetary or numeric value and is instead applicable to those which “conduct business in Texas or generates products or services consumed by (as opposed to targeted to) Texas residents; Processes or engages in the sale of personal data; and does not qualify as a ‘small business,’ defined by the U.S. Small Business Administration as ‘an independent business having fewer than 500 employees.’” Another distinctive quality is that TDPSA demands companies make consumers aware that they may sell consumers’ data. This must be with the privacy notice or shown independently.
Researched by: Caroline Grace Parisher